Win32/LockScreen.BNN [Threat Variant Name]

Short description

Win32/LockScreen.BNN
is a
trojan
that blocks access to the Windows operating system.
To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The
trojan
does not create any copies of itself.

In order to be executed on every system start, the
trojan
sets the following Registry entry:

The
trojan
copies all subkeys and values from the following Registry key
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
into
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBootCP]
.

The original Registry subkeys and values from
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
are then deleted.

The
trojan
may execute the following commands:

bcdedit /set {bootmgr} displaybootmenu off

bcdedit /set {current} bootstatuspolicy IgnoreAllFailures

bcdedit /set {current} recoveryenabled off

bcdedit /set {current} bootems off

bcdedit /set {current} advancedoptions off

The
trojan
hides windows of running processes which contain any of the following strings in their title:

Program Manager

Shell_TrayWnd

TrayNotifyWnd

TrayClockWClass

ToolbarWindow32

ReBarWindow32

MSTaskSwWClass

ToolbarWindow32

Progman

SHELLDLL_DefView

The
trojan
acquires data and commands from a remote computer or the Internet.

The
trojan
contains a list of
URLs.
The
HTTP, HTTPS, TOR
protocol is used in the communication.

1992 - 2017 ESET, spol. s r.o. - All rights reserved. Trademarks used therein are trademarks or registered trademarks of ESET, spol. s r.o. or ESET North America. All other names and brands are registered trademarks of their respective companies.